Page 3 - Hany_EL_Mokadem_Switch_Attacks_and

Page 3 - Hany_EL_Mokadem_Switch_Attacks_and_Countermeasures

P. 3

password access on the VTYs, setting VTY ACLs, configuring banners (motd-banner
or exec-banner) for clarifications and setting privileges on the VTY lines.
- Brute force/Dictionary attacks: In this type of attacks an attacker tries to automate
the process of "guessing" the user name or password or even both either by trying a
dictionary with common password or trying a set of the keyboard pintables (i.e.
letters, numbers, special characters, etc.). A solution would include blocking failed
attempts for a given time and using a strong password.
* A strong password is: a long password (8:12+), has upper-cases letters, lower-
cases letters, digits and preferably spaces and special characters.

Figure 1-3 A log messages on a Cisco switch indicating a login attempts failure and
the expiration of the hold time.

Configuration
- enabling SSH.
(config)#line vty 0 15
(config-line)#transport input ssh
- example to enale VTYs password using the local username and password.
(config-line)#login local
- example to configure VTY ACL.
(config)#access-list 10 permit 10.1.1.0 0.0.0.255
(config)#line vty 0 15
(config-line)#access-class 10 in
- example to configure VTY banners.
(config)#banner motd $
Enter TEXT message. End with the character '$'.
ONLY AUTHORIZED USERS ARE ALLOWED TO ACCESS $
(config)#line vty 0 15
(config-line)#motd-banner
- to set privilage on the vty lines.
(config-line)#privilege level {0-15}
- example to protect against brute force/dictionary attacks (for 180 second logging is
blocked if 3 wrong attempts occurred within 60 second).
(config)#login block-for 180 attempts 3 within 60

MAC Based Attacks

- MAC Flooding: Here the attacker floods the CAM table with MAC addresses more
than the switch can store which leads to the switch operating as hub giving the
attacker the opportunity to sniff all traffic on the segment.

1 2 3 4 5 6 7 8